---
title: "Github Actions + AWS"
---

In this tutorial, you will set up Digger to automate terraform pull requests using Github Actions and AWS

# Prerequisites

- A GitHub repository with valid terraform code. Here's a [demo repo](https://github.com/diggerhq/quickstart-actions-aws)
- Your AWS credentials. See [Hashicorp's AWS tutorial](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/aws-build)

# Step 1: create your Digger account

Head to [ui.digger.dev](https://ui.digger.dev) and sign up using your preferred method.

You should see onboarding screen after you sign up, which guides you to install the github app and perform the next steps

# Step 2: install the Digger GitHub App

Install the Digger [GitHub App](https://github.com/apps/digger-pro) into your repository.

<Note>
Digger GitHub App does not need access to your cloud account, it just starts jobs in your CI. All sensitive data stays in your CI job.

You can also [self-host Digger orchestrator](/ce/self-host/deploy-docker) with a private GiHub app and issue your own token

</Note>

# Step 3: Create Action Secrets with AWS credentials (you can also [use OIDC](/ce/cloud-providers/authenticating-with-oidc-on-aws)

In GitHub repository settings, go to Secrets and Variables - Actions. Create the following secrets:

- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`

# Step 4: Create digger.yml

This file contains Digger configuration and needs to be placed at the root level of your repository. Assuming your terraform code is in the `prod` directory:

```
projects:
- name: production
  dir: prod
```

# Step 5: Create Github Actions workflow file

Place it at `.github/workflows/digger_workflow.yml` (name is important!)

```
name: Digger Workflow

on:
  workflow_dispatch:
    inputs:
      spec:
        required: true
      run_name:
        required: false

run-name: '${{inputs.run_name}}'

jobs:
  digger-job:
    runs-on: ubuntu-latest
    permissions:
      contents: write      # required to merge PRs
      actions: write       # required for plan persistence
      id-token: write      # required for workload-identity-federation
      pull-requests: write # required to post PR comments
      issues: read         # required to check if PR number is an issue or not
      statuses: write      # required to validate combined PR status

    steps:
      - uses: actions/checkout@v4
      - name: ${{ fromJSON(github.event.inputs.spec).job_id }}
        run: echo "job id ${{ fromJSON(github.event.inputs.spec).job_id }}"
      - uses: diggerhq/digger@vLatest
        with:
          digger-spec: ${{ inputs.spec }}
          setup-aws: true
          setup-terraform: true
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```

# Step 6: Create a PR to verify that it works

Terraform will run an existing plan against your code.

Make any change to your terraform code e.g. add a blank line. An action run should start (you can see log output in Actions). After some time you should see output of Terraform Plan added as a comment to your PR.

Then you can add a comment like `digger apply` and shortly after apply output will be added as comment too.
